The Cybersecurity 202: DARPA has a plan to making voting machines far more secure

An “I Voted” sticker is shown in the Voting Machine Hacking Village during the Def Con convention. (Steve Marcus/REUTERS)

The Pentagon research agency that played a key role in inventing GPS and the Internet has a plan to make voting machines far more secure against hackers.

The Defense Advanced Research Projects Agency intends to re-engineer voting machines’ hardware – basically the machines' physical components, such as computer chips and circuits – so that many of the tricks hackers use to undermine the software become impossible.

That’s a fundamentally different approach from most cybersecurity efforts, which focus on updating and patching software each time a new bug is discovered.

If the project is successful it will make it far more difficult for hackers to penetrate and manipulate voting systems as Russian hackers tried to do in 2016. There’s no evidence Russian hackers actually penetrated machines, but the effort — along with a broader hacking and disinformation campaign targeting Democratic nominee Hillary Clinton — sparked big questions about the influence of foreign actors in U.S. elections and ultimately led to a probe of possible ties to the Trump campaign by special prosecutor Robert Mueller.

“This seems to us to have a deep national interest,” Linton Salmon, the DARPA program manager leading the project, told me. “Most of us want to make sure our votes get counted.”

One big hurdle: There’s no requirement for voting machine vendors that supply states with election equipment to adopt the new hardware. Once DARPA achieves its goal, it plans to simply publish all the technical details so any organization that wants to build the new machines can do so.

There will likely be intense pressure on election vendors, however, to adopt the hardware from the election security community, which has criticized vendors for being opaque when it comes to protecting their machines.

The project is part of a broader DARPA effort to use more secure hardware to protect against hacking in numerous sectors -- including at energy plants, financial services firms and the defense industrial base. By making voting machines their first focus area, the agency hopes to excite the interest of the tech industry and the broader public and to help boost security in a highly important area, Salmon told me.

The project won't be complete for another two years, however, and it often takes a year or more to replace a digital system's hardware.So it's unlikely to achieve its goal before the 2020 elections.

DARPA has awarded about $15.5 million to eight grant recipients to work on the broader hardware project. It awarded another $4.5 million to the Portland, Ore., security firm Galois to apply those hardware fixes to real-world threat situations – in this case, voting machines.

Galois unveiled the voting machines at a George Washington University election security conference Thursday. DARPA and Galois plan to take their prototype voting machines to the Def Con hacking conference in Las Vegas in August where they’ll invite ethical hackers to try to crack into them. Hackers at that conference found numerous vulnerabilities in existing voting machines during last year’s conference.

After Def Con, DARPA and Galois want to take the machines on a tour of universities where they’ll do similar live-fire testing with graduate computer science students. Then they’ll bring an improved system back to Def Con in 2020.

“We feel the best way is to open it up to the best hacker community in the world,” Salmon told me. “This is getting us a lot better evaluation than we’d get from hiring five gurus to attack it.”

The revamped hardware won’t protect against all potential software hacks, Salmon warned — just against seven main categories DARPA believes can be fully thwarted with a hardware rewrite and that accounted for about 60 percent of all known software vulnerabilities as of 2015.

There are other categories of hacks, though, that don’t have a hardware fix, so the new system wouldn’t be a replacement for other election-security efforts, such as mandating paper ballots or auditing election results.

During the same conference where Galois unveiled the voting machine program, Sen. Ron Wyden (D-Ore.) accused voting machine makers of refusing to answer questions about their security and valuing profits over the integrity of votes.

“The maintenance of Americans’ constitutional rights should not depend on the good graces and sketchy ethics of a handful of well-connected corporations,” Wyden said.

Timed with the conference, Wyden reintroduced an election security bill, the Protecting American Votes and Elections Act, which would authorize the Homeland Security Department to set minimum cybersecurity standards for voting machine makers.

You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.

The report — compiled by a former FBI cyber expert on behalf of BuzzFeed — gives added credence to an allegation first made in a controversial and disputed dossier written by former Britsh spy Christopher Steele. The Russian entrepreneur, Aleksej Gubarev, sued BuzzFeed after it was the first outlet to publish the Steele dossier and BuzzFeed commissioned the report during the trial.

"The 35-page Steele dossier also alleged that Gubarev played a 'significant' role in the hacking operation 'under duress' from the Russian security agency FSB," my colleagues reported. "Gubarev has also denied that allegation — and the new forensic analysis, conducted by an expert paid by BuzzFeed as part of the suit, provides no evidence to support the claim that Gubarev was involved."

Patched: It was a big day for cybersecurity on the Hill. First off, there was Wyden's Protecting American Votes and Elections Act. In addition to raising standards for voting machine cybersecurity, that bill would also require paper ballots for all votes and post-election audits to ensure votes were tabulated correctly.

The bill also bars states and localities from contracting with any election security vendor that isn’t entirely owned by people or organizations in the United States or four key allies — the United Kingdom, Canada, Australia and New Zealand.

Sen. John Cornyn (R-Tex.) speaks to members of the news media. (Michael Reynolds/EPA-EFE)

PWNED: Sens. John Cornyn (R-Tex.) and Tammy Baldwin (D-Wis.) introduced a bill that would require rail transit services, such as subways, to develop cybersecurity risk plans and would require rail systems that receive federal funding to do third-party risk assessments of some components in their trains and operating systems.

The Transit Infrastructure Vehicle Security Act would also bar rail companies that accept federal money from buying rail or bus components from companies linked with the Chinese government. The bill comes as senators are cautioning the D.C. metro system against buying next-generation rail cars from China.

PUBLIC KEY

Cybersecurity news from the public sector:

The top tech official who helped revamp and secure Democratic party computer systems after they were breached by Russian hackers in 2016 is stepping down, BuzzFeed reported. Raffi Krikorian held top tech jobs at Twitter and Uber before moving to the Democratic National Committee in 2017.

“During his tenure, the DNC moved its data operations in-house for the first time; taught the chair of the DNC, Tom Perez, how to use the encrypted messaging app, Signal; instituted regular simulat[ed] phishing drills; pressured state parties to update their own practices; and hired a top Silicon Valley official, former Yahoo executive Bob Lord, to step in as chief security officer,” BuzzFeed reported.

Krikorian is returning to California where he will join the Emerson Collective, the philanthropy company founded by Laurene Powell Jobs, according to the Buzzfeed report.

The U.S. military is recruiting electric utilities and grid operators as partners in an aggressive new strategy aimed at spotting and blocking hackers before they launch a cyberattack on energy infrastructure.